@oxyhq/core 1.11.12 → 1.11.14

package/src/mixins/OxyServices.auth.ts

@@ -1,12 +1,14 @@
 /**
  * Authentication Methods Mixin
- * 
+ *
  * Supports password-based login (email/username) and public key challenge-response.
  */
 import type { User } from '../models/interfaces';
 import type { SessionLoginResponse } from '../models/session';
 import type { OxyServicesBase } from '../OxyServices.base';
 import { OxyAuthenticationError } from '../OxyServices.errors';
+import { loadNodeCrypto } from '../utils/platformCrypto';
+import { logger } from '../utils/loggerUtils';
 
 export interface ChallengeResponse {
   challenge: string;
@@ -41,36 +43,112 @@ export interface ServiceTokenResponse {
   appName: string;
 }
 
+/**
+ * One cache entry per (apiKey hash) → issued token + the secret that produced it.
+ * The secret is kept around in raw Buffer form so we can perform a
+ * constant-time compare against any reused credential pair — this prevents an
+ * attacker who learned a victim's apiKey from receiving the victim's cached
+ * service token by simply guessing the secret.
+ *
+ * @internal
+ */
+interface ServiceTokenCacheEntry {
+  token: string;
+  /** Expiry as ms since epoch */
+  expiresAt: number;
+  /** Raw secret stored as Buffer for constant-time comparison on cache hit */
+  secretBuf: Buffer;
+  /** In-flight refresh promise (deduplicates concurrent callers) */
+  pending: Promise<string> | null;
+}
+
+/**
+ * Sentinel error raised when getServiceToken() is called with a known apiKey
+ * but a non-matching secret. Indicates either credential drift in the caller
+ * or a cross-tenant cache lookup attempt. Surface as a 401-equivalent.
+ */
+export class ServiceCredentialMismatchError extends Error {
+  constructor() {
+    super('Service credential mismatch: provided secret does not match the secret stored for this apiKey');
+    this.name = 'ServiceCredentialMismatchError';
+  }
+}
+
 export function OxyServicesAuthMixin<T extends typeof OxyServicesBase>(Base: T) {
   return class extends Base {
-    /** @internal */ _serviceToken: string | null = null;
-    /** @internal */ _serviceTokenExp: number = 0;
-    /** @internal */ _serviceApiKey: string | null = null;
-    /** @internal */ _serviceApiSecret: string | null = null;
+    /**
+     * Per-credential token cache.
+     *
+     * Keyed by SHA-256(apiKey). Each entry carries:
+     *   - the issued service JWT
+     *   - its expiry timestamp
+     *   - the secret that produced it (Buffer for constant-time compare)
+     *   - an optional in-flight promise to deduplicate concurrent refreshes
+     *
+     * The previous implementation kept ONE token/exp pair per OxyServices
+     * instance. That meant calling `getServiceToken(keyA, secretA)` populated
+     * the cache, and a subsequent `getServiceToken(keyB, secretB)` (different
+     * tenant) would receive tenant A's token. This is fixed by routing every
+     * lookup through the Map.
+     *
+     * @internal
+     */
+    _serviceTokenCache = new Map<string, ServiceTokenCacheEntry>();
+
+    /** @internal Raw apiKey stored by configureServiceAuth() for use by getServiceToken() */
+    _serviceApiKey: string | null = null;
+    /** @internal Raw apiSecret stored by configureServiceAuth() for use by getServiceToken() */
+    _serviceApiSecret: string | null = null;
 
     constructor(...args: any[]) {
       super(...(args as [any]));
     }
 
+    /**
+     * Hash an apiKey into a stable Map cache key. Uses Node's SHA-256 — service
+     * tokens are only ever issued by a Node host (the SDK on web/RN never has
+     * the apiSecret in the first place), so we can rely on Node crypto here.
+     *
+     * @internal
+     */
+    async _hashApiKey(apiKey: string): Promise<string> {
+      const nodeCrypto = await loadNodeCrypto();
+      return nodeCrypto.createHash('sha256').update(apiKey).digest('hex');
+    }
+
     /**
      * Configure service credentials for internal service-to-service communication.
      * Call this once at startup so that getServiceToken() and makeServiceRequest()
      * can automatically obtain and refresh tokens.
      *
+     * Calling this with credentials that differ from a previously-configured pair
+     * is allowed — each `(apiKey, apiSecret)` pair is cached independently, so
+     * legitimate multi-tenant hosts that need to switch credentials cannot leak
+     * one tenant's token to another tenant on the same instance.
+     *
      * @param apiKey - DeveloperApp API key (oxy_dk_*)
      * @param apiSecret - DeveloperApp API secret
      */
     configureServiceAuth(apiKey: string, apiSecret: string): void {
       this._serviceApiKey = apiKey;
       this._serviceApiSecret = apiSecret;
-      // Invalidate any cached token
-      this._serviceToken = null;
-      this._serviceTokenExp = 0;
     }
 
     /**
      * Get a service token for internal service-to-service communication.
-     * Tokens are short-lived (1h) and automatically cached/refreshed.
+     * Tokens are short-lived (1h) and automatically cached/refreshed per
+     * `(apiKey, apiSecret)` pair.
+     *
+     * Concurrent callers for the same credential pair share a single in-flight
+     * request to avoid hammering `/auth/service-token` when the cache is empty
+     * or expired.
+     *
+     * **Security guarantee:** if the cache already holds a token for this
+     * apiKey but the supplied apiSecret does not constant-time match the
+     * secret that originally produced that token, this method throws
+     * `ServiceCredentialMismatchError` instead of returning the cached token.
+     * This prevents an attacker who learned a peer's apiKey from extracting
+     * their service token by polling with a wrong secret.
      *
      * @param apiKey - DeveloperApp API key (optional if configureServiceAuth was called)
      * @param apiSecret - DeveloperApp API secret (optional if configureServiceAuth was called)
@@ -83,11 +161,79 @@ export function OxyServicesAuthMixin<T extends typeof OxyServicesBase>(Base: T)
         throw new Error('Service credentials not provided. Call configureServiceAuth() or pass apiKey and apiSecret.');
       }
 
-      // Return cached token if still valid (with 60s buffer)
-      if (this._serviceToken && this._serviceTokenExp > Date.now() + 60_000) {
-        return this._serviceToken;
+      const cacheKey = await this._hashApiKey(key);
+      const now = Date.now();
+      const providedSecretBuf = Buffer.from(secret, 'utf8');
+
+      let entry = this._serviceTokenCache.get(cacheKey);
+
+      // Verify the secret on every cache hit, regardless of token freshness.
+      // Constant-time compare prevents timing oracles on the stored secret.
+      if (entry) {
+        const nodeCrypto = await loadNodeCrypto();
+        const storedSecretBuf = entry.secretBuf;
+        const lengthMatch = storedSecretBuf.length === providedSecretBuf.length;
+        // Always run timingSafeEqual on equal-length inputs to keep timing flat.
+        // When lengths differ, run against a zero-padded copy of the same length
+        // to avoid an early-return timing signal.
+        const compareBuf = lengthMatch
+          ? providedSecretBuf
+          : Buffer.alloc(storedSecretBuf.length);
+        const compareResult = nodeCrypto.timingSafeEqual(storedSecretBuf, compareBuf);
+        if (!lengthMatch || !compareResult) {
+          logger.warn('[oxy.auth] Service token cache hit with mismatched secret', {
+            component: 'auth',
+            method: 'getServiceToken',
+          });
+          throw new ServiceCredentialMismatchError();
+        }
+
+        // Return cached token if still valid (with 60s buffer for clock drift)
+        if (entry.token && entry.expiresAt > now + 60_000) {
+          return entry.token;
+        }
+
+        // If a fetch is already in-flight for this credential, share its result
+        if (entry.pending) {
+          return entry.pending;
+        }
+      } else {
+        // First time seeing this apiKey on this instance — seed an empty entry
+        // so concurrent callers serialize on the same promise.
+        entry = {
+          token: '',
+          expiresAt: 0,
+          secretBuf: providedSecretBuf,
+          pending: null,
+        };
+        this._serviceTokenCache.set(cacheKey, entry);
+      }
+
+      const pending = this._doFetchServiceToken(key, secret, cacheKey, providedSecretBuf);
+      entry.pending = pending;
+      try {
+        return await pending;
+      } finally {
+        // Clear the in-flight slot; the entry itself (with fresh token / expiry)
+        // is updated inside _doFetchServiceToken before we land here.
+        const settled = this._serviceTokenCache.get(cacheKey);
+        if (settled) {
+          settled.pending = null;
+        }
       }
+    }
 
+    /**
+     * Perform the actual /auth/service-token request and cache the result.
+     * Separated so getServiceToken() can deduplicate concurrent calls.
+     * @internal
+     */
+    async _doFetchServiceToken(
+      key: string,
+      secret: string,
+      cacheKey: string,
+      secretBuf: Buffer,
+    ): Promise<string> {
       const response = await this.makeRequest<ServiceTokenResponse>(
         'POST',
         '/auth/service-token',
@@ -95,10 +241,24 @@ export function OxyServicesAuthMixin<T extends typeof OxyServicesBase>(Base: T)
         { cache: false, retry: false }
       );
 
-      this._serviceToken = response.token;
-      this._serviceTokenExp = Date.now() + response.expiresIn * 1000;
+      const expiresAt = Date.now() + response.expiresIn * 1000;
+      // Update the entry in-place so any caller that already grabbed a reference
+      // (via `_serviceTokenCache.get(...)`) sees the fresh state.
+      const entry = this._serviceTokenCache.get(cacheKey);
+      if (entry) {
+        entry.token = response.token;
+        entry.expiresAt = expiresAt;
+        entry.secretBuf = secretBuf;
+      } else {
+        this._serviceTokenCache.set(cacheKey, {
+          token: response.token,
+          expiresAt,
+          secretBuf,
+          pending: null,
+        });
+      }
 
-      return this._serviceToken;
+      return response.token;
     }
 
     /**

package/src/mixins/OxyServices.contacts.ts

@@ -0,0 +1,73 @@
+/**
+ * Contact Discovery Mixin
+ *
+ * Privacy-preserving discovery of which address-book contacts are on Oxy.
+ *
+ * The client hashes emails and phones locally before calling the API.
+ * The server responds with only Oxy user IDs and the hashes that matched,
+ * so the consumer can map each match back to the local contact that
+ * produced it.
+ *
+ * Hashing rules (must match the server `utils/contactHash.ts` exactly):
+ *   - SHA-256, hex-encoded, lowercase
+ *   - Email: `value.trim().toLowerCase()` then digest
+ *   - Phone: trim → keep a single leading "+" → strip non-digits → prepend "+"
+ *     if missing → digest
+ *
+ * Mobile clients can compute these digests with `expo-crypto`'s
+ * `digestStringAsync(SHA256, value, { encoding: HEX })`. Web clients should
+ * use `SubtleCrypto.digest('SHA-256', ...)`.
+ */
+
+import type { OxyServicesBase } from '../OxyServices.base';
+
+/** A single match returned by `POST /contacts/discover`. */
+export interface ContactDiscoveryMatch {
+  /** Oxy user ID (MongoDB ObjectId hex string). */
+  userId: string;
+  /** The hashed identifier from the request that matched this user. */
+  hashedIdentifier: string;
+  /** Whether the match came from the email index or phone index. */
+  matchType: 'email' | 'phone';
+}
+
+/** Response shape of `POST /contacts/discover`. */
+export interface ContactDiscoveryResponse {
+  matches: ContactDiscoveryMatch[];
+}
+
+export function OxyServicesContactsMixin<T extends typeof OxyServicesBase>(Base: T) {
+  return class extends Base {
+    constructor(...args: any[]) {
+      super(...(args as [any]));
+    }
+
+    /**
+     * Discover which of the caller's contacts are on Oxy.
+     *
+     * @param hashedEmails - SHA-256 hex digests of normalized emails.
+     * @param hashedPhones - SHA-256 hex digests of normalized phone numbers.
+     * @returns Matches mapping each hashed identifier to the Oxy user ID it
+     *   resolved to. Empty arrays are valid for either parameter, but at
+     *   least one must be non-empty.
+     *
+     * The server enforces a 200-hash cap per channel per request — callers
+     * should batch larger address books client-side.
+     */
+    async discoverContacts(
+      hashedEmails: string[],
+      hashedPhones: string[],
+    ): Promise<ContactDiscoveryResponse> {
+      try {
+        return await this.makeRequest<ContactDiscoveryResponse>(
+          'POST',
+          '/contacts/discover',
+          { hashedEmails, hashedPhones },
+          { cache: false },
+        );
+      } catch (error) {
+        throw this.handleError(error);
+      }
+    }
+  };
+}

package/src/mixins/OxyServices.features.ts

@@ -412,17 +412,7 @@ export function OxyServicesFeaturesMixin<T extends typeof OxyServicesBase>(Base:
             }
         }
 
-        // ==================
-        // ACCOUNT
-        // ==================
-
-        /**
-         * Delete user account (requires password confirmation)
-         */
-        async deleteAccount(password: string): Promise<void> {
-            return this.withAuthRetry(async () => {
-                await this.makeRequest('DELETE', '/account', { password }, { cache: false });
-            }, 'deleteAccount');
-        }
+        // Account deletion lives in OxyServices.user mixin — it requires
+        // an identity-key signature (not just a password) and hits DELETE /users/me.
     };
 }

package/src/mixins/OxyServices.fedcm.ts

@@ -372,10 +372,11 @@ export function OxyServicesFedCMMixin<T extends typeof OxyServicesBase>(Base: T)
               {
                 configURL: options.configURL,
                 clientId: options.clientId,
-                // Send nonce at both levels for backward compatibility
-                nonce: options.nonce, // For older browsers
+                // Older browsers read `nonce` at the top level; Chrome 145+
+                // expects it inside `params`. Send both for full coverage.
+                nonce: options.nonce,
                 params: {
-                  nonce: options.nonce, // For Chrome 145+
+                  nonce: options.nonce,
                 },
                 ...(options.loginHint && { loginHint: options.loginHint }),
               },

package/src/mixins/OxyServices.language.ts

@@ -4,6 +4,7 @@
 import { normalizeLanguageCode, getLanguageMetadata, getLanguageName, getNativeLanguageName } from '../utils/languageUtils';
 import type { LanguageMetadata } from '../utils/languageUtils';
 import type { OxyServicesBase } from '../OxyServices.base';
+import { loadAsyncStorage } from '../utils/platformCrypto';
 import { isDev } from '../shared/utils/debugUtils';
 
 export function OxyServicesLanguageMixin<T extends typeof OxyServicesBase>(Base: T) {
@@ -23,10 +24,11 @@ export function OxyServicesLanguageMixin<T extends typeof OxyServicesBase>(Base:
       
       if (isReactNative) {
         try {
-          // Variable indirection prevents bundlers (Vite, webpack) from statically resolving this
-          const moduleName = '@react-native-async-storage/async-storage';
-          const asyncStorageModule = await import(/* @vite-ignore */ moduleName);
-          const storage = asyncStorageModule.default as unknown as { getItem: (key: string) => Promise<string | null>; setItem: (key: string, value: string) => Promise<void>; removeItem: (key: string) => Promise<void> };
+          // `loadAsyncStorage` is per-platform: the RN variant statically imports
+          // @react-native-async-storage/async-storage, the default variant throws
+          // (never called outside RN because of the `isReactNative` gate above).
+          const asyncStorageModule = await loadAsyncStorage();
+          const storage = asyncStorageModule.default;
           return {
             getItem: storage.getItem.bind(storage),
             setItem: storage.setItem.bind(storage),

package/src/mixins/OxyServices.redirect.ts

@@ -177,12 +177,16 @@ export function OxyServicesRedirectAuthMixin<T extends typeof OxyServicesBase>(B
     this.storeTokens(accessToken, sessionId);
     this.httpService.setTokens(accessToken);
 
-    // Build session response (minimal - we'll fetch full user data separately)
+    // Build session response (minimal — full user data is fetched separately
+    // by the caller via getCurrentUser() once tokens are stored).
     const session: SessionLoginResponse = {
       sessionId,
       deviceId: '', // Not available in redirect flow
       expiresAt: expiresAt || new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString(),
-      user: {} as any, // Will be fetched separately
+      // Placeholder user — caller MUST fetch real user data via getCurrentUser()
+      // before exposing this session to the application. The empty id signals
+      // that the user payload has not yet been populated.
+      user: { id: '', username: '' },
     };
 
     // Clean up URL (remove auth parameters)

package/src/mixins/OxyServices.security.ts

@@ -24,19 +24,29 @@ export function OxyServicesSecurityMixin<T extends typeof OxyServicesBase>(Base:
       eventType?: SecurityEventType
     ): Promise<SecurityActivityResponse> {
       try {
-        const params: any = {};
+        const params: Record<string, unknown> = {};
         if (limit !== undefined) params.limit = limit;
         if (offset !== undefined) params.offset = offset;
         if (eventType) params.eventType = eventType;
 
-        const response = await this.makeRequest<SecurityActivityResponse>(
-          'GET',
-          '/security/activity',
-          params,
-          { cache: false }
-        );
+        // The API responds with the standard paginated envelope:
+        //   { data: SecurityActivity[], pagination: { total, limit, offset, hasMore } }
+        // SecurityActivityResponse is the flattened shape consumers expect.
+        const raw = await this.makeRequest<{
+          data: SecurityActivity[];
+          pagination: { total: number; limit: number; offset: number; hasMore: boolean };
+        }>('GET', '/security/activity', params, { cache: false });
+
+        const requestedLimit = typeof params.limit === 'number' ? params.limit : 0;
+        const requestedOffset = typeof params.offset === 'number' ? params.offset : 0;
 
-        return response;
+        return {
+          data: raw.data ?? [],
+          total: raw.pagination?.total ?? raw.data?.length ?? 0,
+          limit: raw.pagination?.limit ?? requestedLimit,
+          offset: raw.pagination?.offset ?? requestedOffset,
+          hasMore: raw.pagination?.hasMore ?? false,
+        };
       } catch (error) {
         throw this.handleError(error);
       }

package/src/mixins/OxyServices.user.ts

@@ -1,9 +1,11 @@
 /**
  * User Management Methods Mixin
  */
-import type { User, Notification, SearchProfilesResponse, PaginationInfo } from '../models/interfaces';
+import type { User, Notification, SearchProfilesResponse, PaginationInfo, PrivacySettings } from '../models/interfaces';
 import type { OxyServicesBase } from '../OxyServices.base';
 import { buildSearchParams, buildPaginationParams, type PaginationParams } from '../utils/apiUtils';
+import { KeyManager } from '../crypto/keyManager';
+import { SignatureService } from '../crypto/signatureService';
 
 export function OxyServicesUserMixin<T extends typeof OxyServicesBase>(Base: T) {
   return class extends Base {
@@ -51,7 +53,7 @@ export function OxyServicesUserMixin<T extends typeof OxyServicesBase>(Base: T)
         const searchParams = buildSearchParams(params);
         const paramsObj = Object.fromEntries(searchParams.entries());
 
-        const response = await this.makeRequest<SearchProfilesResponse | User[]>(
+        const response = await this.makeRequest<SearchProfilesResponse>(
           'GET',
           '/profiles/search',
           paramsObj,
@@ -61,43 +63,26 @@ export function OxyServicesUserMixin<T extends typeof OxyServicesBase>(Base: T)
           }
         );
 
-        // New API shape: { data: User[], pagination: {...} }
-        const isSearchProfilesResponse = (payload: unknown): payload is SearchProfilesResponse =>
-          typeof payload === 'object' &&
-          payload !== null &&
-          Array.isArray((payload as SearchProfilesResponse).data);
-
-        if (isSearchProfilesResponse(response)) {
-          const typedResponse = response;
-          const paginationInfo: PaginationInfo = typedResponse.pagination ?? {
-            total: typedResponse.data.length,
-            limit: pagination?.limit ?? typedResponse.data.length,
-            offset: pagination?.offset ?? 0,
-            hasMore: typedResponse.data.length === (pagination?.limit ?? typedResponse.data.length) &&
-              (pagination?.limit ?? typedResponse.data.length) > 0,
-          };
-
-          return {
-            data: typedResponse.data,
-            pagination: paginationInfo,
-          };
+        if (
+          typeof response !== 'object' ||
+          response === null ||
+          !Array.isArray(response.data)
+        ) {
+          throw new Error('Unexpected search response format');
         }
 
-        // Legacy API shape: returns raw User[]
-        if (Array.isArray(response)) {
-          const fallbackLimit = pagination?.limit ?? response.length;
-          const fallbackPagination: PaginationInfo = {
-            total: response.length,
-            limit: fallbackLimit,
-            offset: pagination?.offset ?? 0,
-            hasMore: fallbackLimit > 0 && response.length === fallbackLimit,
-          };
-
-          return { data: response, pagination: fallbackPagination };
-        }
+        const paginationInfo: PaginationInfo = response.pagination ?? {
+          total: response.data.length,
+          limit: pagination?.limit ?? response.data.length,
+          offset: pagination?.offset ?? 0,
+          hasMore: response.data.length === (pagination?.limit ?? response.data.length) &&
+            (pagination?.limit ?? response.data.length) > 0,
+        };
 
-        // If response is unexpected, throw an error
-        throw new Error('Unexpected search response format');
+        return {
+          data: response.data,
+          pagination: paginationInfo,
+        };
       } catch (error) {
         throw this.handleError(error);
       }
@@ -206,12 +191,33 @@ export function OxyServicesUserMixin<T extends typeof OxyServicesBase>(Base: T)
     }
 
     /**
-     * Update user profile
-     * TanStack Query handles offline queuing automatically
+     * Update user profile.
+     *
+     * Invalidates the SDK-side response cache for every endpoint that
+     * returns the current user (`GET /users/me`, `GET /session/user/*`,
+     * `GET /users/<id>`, `GET /profiles/username/*`) so the next read
+     * doesn't return a stale snapshot. Without this, a follow-up
+     * `getUserBySession` call inside the 2-minute cache window can return
+     * the pre-update user — most visibly during onboarding, where it
+     * causes the username step to flicker back as if nothing was saved.
+     *
+     * TanStack Query handles offline queuing automatically.
      */
-    async updateProfile(updates: Record<string, any>): Promise<User> {
+    async updateProfile(updates: Partial<User>): Promise<User> {
       try {
-        return await this.makeRequest<User>('PUT', '/users/me', updates, { cache: false });
+        const result = await this.makeRequest<User>('PUT', '/users/me', updates, { cache: false });
+
+        // Bust every cached representation of the current user. We use a
+        // prefix sweep rather than an enumeration because the SDK never
+        // tracks the set of active session IDs centrally.
+        this.clearCacheByPrefix('GET:/session/user/');
+        this.clearCacheByPrefix('GET:/users/me');
+        this.clearCacheByPrefix('GET:/profiles/username/');
+        if (result?.id) {
+          this.clearCacheEntry(`GET:/users/${result.id}`);
+        }
+
+        return result;
       } catch (error) {
         const errorAny = error as any;
         const errorMessage = error instanceof Error ? error.message : String(error);
@@ -237,10 +243,10 @@ export function OxyServicesUserMixin<T extends typeof OxyServicesBase>(Base: T)
      * Get privacy settings for a user
      * @param userId - The user ID (defaults to current user)
      */
-    async getPrivacySettings(userId?: string): Promise<any> {
+    async getPrivacySettings(userId?: string): Promise<PrivacySettings> {
       try {
         const id = userId || (await this.getCurrentUser()).id;
-        return await this.makeRequest<any>('GET', `/privacy/${id}/privacy`, undefined, {
+        return await this.makeRequest<PrivacySettings>('GET', `/privacy/${id}/privacy`, undefined, {
           cache: true,
           cacheTTL: 2 * 60 * 1000, // 2 minutes cache
         });
@@ -254,10 +260,10 @@ export function OxyServicesUserMixin<T extends typeof OxyServicesBase>(Base: T)
      * @param settings - Partial privacy settings object
      * @param userId - The user ID (defaults to current user)
      */
-    async updatePrivacySettings(settings: Record<string, any>, userId?: string): Promise<any> {
+    async updatePrivacySettings(settings: Partial<PrivacySettings>, userId?: string): Promise<PrivacySettings> {
       try {
         const id = userId || (await this.getCurrentUser()).id;
-        return await this.makeRequest<any>('PATCH', `/privacy/${id}/privacy`, settings, {
+        return await this.makeRequest<PrivacySettings>('PATCH', `/privacy/${id}/privacy`, settings, {
           cache: false,
         });
       } catch (error) {
@@ -299,14 +305,31 @@ export function OxyServicesUserMixin<T extends typeof OxyServicesBase>(Base: T)
     }
 
     /**
-     * Delete account permanently
-     * @param password - User password for confirmation
-     * @param confirmText - Confirmation text (usually username)
+     * Delete account permanently.
+     *
+     * Signs `delete:{publicKey}:{timestamp}` with the locally-stored identity
+     * private key and submits the signature alongside the confirmation text
+     * (must equal the user's username). The signature is the cryptographic
+     * proof of ownership — only the device holding the private key can issue
+     * a valid signature, so no password is required.
+     *
+     * @param confirmText - Must equal the user's username (verified server-side)
+     * @throws If no identity is stored on this device, or signing fails
      */
-    async deleteAccount(password: string, confirmText: string): Promise<{ message: string }> {
+    async deleteAccount(confirmText: string): Promise<{ message: string }> {
       try {
+        const publicKey = await KeyManager.getPublicKey();
+        if (!publicKey) {
+          throw new Error('No identity found on this device. Account deletion requires the device that holds your identity key.');
+        }
+
+        const timestamp = Date.now();
+        const message = `delete:${publicKey}:${timestamp}`;
+        const signature = await SignatureService.sign(message);
+
         return await this.makeRequest<{ message: string }>('DELETE', '/users/me', {
-          password,
+          signature,
+          timestamp,
           confirmText,
         }, { cache: false });
       } catch (error) {